dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

BUG: DejaCode exported CycloneDX SBOM does not retain dependency relationship

Open rogu-beta opened this issue 9 months ago • 3 comments

Describe the bug Current DejaCode versions already represent the relationships between packages in a product's inventory and their dependencies with other packages. However, when exporting an SBOM that relationship is not correctly represented in the resulting file. This was tested with CycloneDX as output format.

The resulting file list all packages as if they are direct dependencies. This is incorrect, has some may only be transitive dependencies. This is highly important to get right for regulatory purposes as it indicates who is responsible for fixing issues or updating versions. If it is a direct dependency then the organisation developing the product is directly responsible. However, if a dependency of the product has transitive dependencies where a package is outdated, then the organisation developing the product may have to wait for a patch of that dependency to be released. Furthermore, displaying transitive dependencies as direct dependencies is simply inaccurate for the purpose of software component analysis.

To Reproduce

  1. Create a product in DejaCode
  2. Generate an SBOM for a product with a tool such as cdxgen, where there are transitive dependencies
  3. Use "Actions > Load packages from SBOMs" with "Scan all packages of this product post-import" checked
  4. Once the import is completed you should see the inventory populated and dependencies filled
  5. Use "Share > CycloneDX" to export an SBOM in format version 1.6
  6. Open the SBOM in an editor of your choice an see that all packages are listed as direct dependencies under the key "dependencies" and within that "dependsOn".

Expected behavior Instead of having all packages listed in "dependsOn" as direct dependencies, they should be listed as follow:

  • All dependencies should each have an entry like: 
    {
    "ref": "pkg:pkgmanager/[email protected]",
    "dependsOn": []
},
  • "dependsOn" should reference the PURLs of other packages that they depend on, if any (just like dependencies already do in DejaCode's internal model)

Important: The SBOM import must also ensure that only direct dependencies are listed as packages in the inventory and indirect/transitive dependencies are listed as dependecies. Otherwise this cannot be fixed afterwards. Hence, this issue is related to https://github.com/aboutcode-org/dejacode/issues/122

Screenshots n.a.

Context (OS, Browser, Device, etc.): n.a.

rogu-beta avatar Feb 25 '25 07:02 rogu-beta

@ghsa-retrieval thanks for this report. Here is an updated list of related issues:

  • https://github.com/aboutcode-org/dejacode/issues/138
  • https://github.com/aboutcode-org/dejacode/issues/122
  • https://github.com/aboutcode-org/dejacode/issues/175
  • https://github.com/aboutcode-org/dejacode/issues/11
  • https://github.com/aboutcode-org/scancode.io/issues/1066
  • https://github.com/aboutcode-org/scancode.io/issues/1145

pombredanne avatar Mar 03 '25 12:03 pombredanne

Sorry if this ticket is too similar or has too much overlap.

rogu-beta avatar Mar 03 '25 13:03 rogu-beta

The implementation issue is in the get_cyclonedx_bom function where all dependencies get added to the root node regardless of how the dependency tree looks like. The function would first have to reconstruct the tree from the data model and then add the relation based on direct dependencies and the Product Dependencies accordingly.

https://github.com/aboutcode-org/dejacode/blob/eed07019eef73d06ef99600407f52df6a99e98e8/dje/outputs.py#L134

See other ticket for related comment and a major pitfalls due to direct dependency information not being retained by DeajCode: https://github.com/aboutcode-org/dejacode/issues/122#issuecomment-3182515607

rogu-beta avatar Aug 13 '25 07:08 rogu-beta